[11/17] bfi: Add some very basic sanity checks for input packet sizes

Message ID 1380406879-6174-11-git-send-email-martin@martin.st
State Committed
Commit 640a2427aafa774b83316b7a8c5c2bdc28bfd269
Headers show

Commit Message

Martin Storsjö Sept. 28, 2013, 10:21 p.m.
CC: libav-stable@libav.org
---
 libavformat/bfi.c |    4 ++++
 1 file changed, 4 insertions(+)

Comments

Kostya Shishkov Sept. 29, 2013, 6:03 a.m. | #1
On Sun, Sep 29, 2013 at 01:21:13AM +0300, Martin Storsjö wrote:
> CC: libav-stable@libav.org
> ---
>  libavformat/bfi.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/bfi.c b/libavformat/bfi.c
> index 5d7ccb8..19060e7 100644
> --- a/libavformat/bfi.c
> +++ b/libavformat/bfi.c
> @@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
>          video_offset    = avio_rl32(pb);
>          audio_size      = video_offset - audio_offset;
>          bfi->video_size = chunk_size - video_offset;
> +        if (audio_size < 0 || bfi->video_size < 0) {
> +            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
> +            return AVERROR_INVALIDDATA;
> +        }
>  
>          //Tossing an audio packet at the audio decoder.
>          ret = av_get_packet(pb, pkt, audio_size);
> -- 

looks OK

Patch

diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index 5d7ccb8..19060e7 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -132,6 +132,10 @@  static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
         video_offset    = avio_rl32(pb);
         audio_size      = video_offset - audio_offset;
         bfi->video_size = chunk_size - video_offset;
+        if (audio_size < 0 || bfi->video_size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         //Tossing an audio packet at the audio decoder.
         ret = av_get_packet(pb, pkt, audio_size);